E-commerce is driving companies to develop an entire new set of applications that are available to businesses and individuals on the World Wide Web. Web-based applications enable corporations to offer a wide range of products and services by supporting corporate business processes. Such processes include online retail, customer service, supply chain procurement, and delivery of operational and transactional data.
Some people that visit an enterprise's web site (i.e., a location on the World Wide Web) may simply be browsing, while others may wish to use services requiring the exchange of confidential information or other protected data. Additionally, an enterprise may want a software application to be available to only a specific class of people (e.g., paid subscribers). Therefore, once a person enters the web site, the enterprise must control which corporate computers and applications, as well as what information, that person can use. The enterprise needs a means of securing access to the enterprise network to ensure that particular data on the web site is not available to a person who was not authenticated and authorized.
People access an enterprise's web site from the Internet or the enterprise's intranet through a front-end server in the enterprise's computer network. Generally, an enterprise has one or more centralized computers that function as front-end servers in the enterprise network. The front-end servers must control and secure access to the enterprise network to protect valuable data from unauthorized users. One method of controlling and securing access is via authentication and authorization processes. These processes limit access to the enterprise network, access to the particular computer systems and other resources in the enterprise network, and actions available to a user once access is permitted (e.g., view specific accounts or purchase securities on margin).
The purpose of an authentication process is to determine whether the true identity of a user is that which the user presents when attempting access to the enterprise network, for example via a username, password, and credentials. The authentication process validates the user's credentials before permitting access to the enterprise network or a secure resource within the enterprise network. A user's credentials may include a digital certificate obtained from a certificate-issuing authority (e.g., VeriSign, Inc. headquartered in Mountain View, Calif.), a username and a password, or additional information known only to the user and the authentication process (e.g., a personal identification number, known as a PIN).
The purpose of an authorization process is to determine the actions available to a user once authenticated. The authorization process checks a user's permissions to ensure that he or she is entitled to have access to a protected computer or protected resource in the enterprise network. Furthermore, the authorization process determines what the user is entitled to do once access to the protected computer or protected resource is granted.
Other enterprise computers, which are networked to the front-end servers, run a variety of applications. A computer networked to the front-end servers, hereinafter referred to as a back-end server, may have access to a database that contains information used to customize an application running on the back-end server for users of the application. The database system may be interfaced directly to application software executing on a back-end server, and may not communicate with other applications installed in the enterprise network.
A front-end server may run the authentication process, thereby verifying the user's identification and validating the user's credentials. Once the user is authenticated and gains access to the enterprise network (or protected resources in the enterprise network), the user's web browser may display a menu from which a service may be chosen. In the financial industry, services may include accessing private portfolios to check account balances and transactions, trading securities, or conducting research on publicly held companies. In a business-to-business e-commerce environment, services may include placing an order for a product or checking the status of an order.
After the user makes a selection, the appropriate application on a back-end server is contacted. The user may then be prompted to sign onto the application. Before being able to use the chosen application, a second authentication process is executed to check the authenticity of the user. This second authentication process on the back-end server is redundant because the user was previously authenticated by one of the front-end servers. However, the back-end server has no means of knowing that the user was previously authenticated. Additionally, an application-specific authorization process is executed to check and obtain entitlements that further specify a user's rights to access the application and utilize certain features offered by the application.
Each application may contain unique authentication and authorization processes. These processes are security mechanisms that control user access to the resources (e.g., services and data) provided by an application. The authentication and authorization processes may be coded directly into the application and the application may store information that imposes a set of access privileges on a particular user. The information is stored in a database that is local to the application, and is generally completely independent from the user directory on the front-end servers and from the user directories for all other applications. Therefore, redundant information regarding the user may be stored.
The unique security processes that perform authentication and authorization functions may be managed by different groups of individuals, hereinafter referred to as system administrators. Thus, privileges associated with a particular user may not be synchronized throughout the computer network, thereby compromising security. For example, a security compromise due to a synchronization problem may occur when a system administrator for one back-end server removes access privileges, yet the front-end servers continue to permit the user to contact the back-end server. Some enterprises may synchronize the databases throughout the network on a daily basis to avoid such a security compromise. However, if the synchronization process does not successfully synchronize the databases (e.g., a database was inaccessible), a security compromise may still occur.
Each front-end server and each back-end server may store user identifiers and corresponding access privilege codes in their respective databases, rather than using a single central database to store such information. Localized user identifiers and privilege codes are necessary because the front-end servers have no means of propagating the identifiers and privilege codes throughout the enterprise network to the back-end servers. Furthermore, management of the various computers and applications in an enterprise network is generally delegated to different system administrators who require unique user information for the systems they manage. As a result, the user must keep track of and use multiple user identifiers, one for use on the front-end servers and one for use on each back-end server. Even when the multiple user identifiers contain identical alpha-numeric sequences, the user must submit to a login process for the front-end servers and each back-end server, thereby experiencing delayed access while moving between applications in the enterprise network.
As a result of storing multiple identifiers throughout the enterprise network for the same user, no means exists for drawing any correlation between a user accessing one application and the same user accessing a different application in the enterprise network. Such a correlation is useful for sharing authentication and authorization data, not only within the enterprise network, but also for affiliated services available from a business partner's web site.
Generally, an enterprise has the goal of repeatedly bringing many businesses and individuals to the enterprise's web site. To achieve this goal, the web site must be easy to navigate, and without delay, allow users to efficiently access the applications that provide the services. Requiring the user to sign onto the web site multiple times introduces delay in accessing the enterprise's applications.
Some enterprise networks alleviate the multiple sign-on issue by executing the login process on a back-end server without the user's knowledge. An authentication and authorization process is executed nevertheless, which takes time and causes a delay in accessing the application. Instant access is expected for e-commerce applications and other types of applications, and therefore, the user may become impatient and frustrated due to the delay. Such a user may then choose to conduct business elsewhere or use resources available at another enterprise's web site.
As web-based applications proliferate, a scalability issue arises that poses a challenge to corporations and other enterprises. As previously discussed, each back-end server may be managed by different system administrators. Each system administrator may have a unique set of criteria and guidelines for managing the back-end server for which he or she is responsible, including security management procedures. A large financial services corporation may have more than 100 computers in their enterprise network. Therefore, numerous system administrators may be managing security enforcement mechanisms for the web site and the efforts of those system administrators may not be coordinated. Additionally, storing user access privileges in a central database may not be feasible, for example, due to the delegation of system administration tasks and the unique security requirements of each application. Traditional security and user management tools do not have a comprehensive security infrastructure currently in place.
Known Single Sign-On solutions (e.g., Siteminder® v3.6 access management application produced by Netegrity, Inc. of Waltham, Mass.) exist that pass a user's identity between heterogeneous web servers. When a user authenticates him or herself, a cookie is created containing the necessary session information identifying a user by a name that may be used as a unique key to lookup the user's record in the authentication database. This user name varies depending upon the type of the authentication database deployed at a site. For example, the login name may be used with SQL databases. The entire Distinguished Name is stored in the cookie for LDAP directories.
The session information stored in the cookie enables an access management application to uniquely identify a user without forcing the user to re-authenticate when the authorization database is the same database as the authentication database. Cross-domain SSO can also be supported, enabling credentials to be available to all other domains so long as those domains utilize the authentication database having identical user names.
There is no existing solution for uniquely identifying users throughout a wide range of applications. For example, many customer environments have applications that have individual authentication and authorization databases. Over the years, each of these applications have tended to define their own unique and distinct user name for the same user. Although SSO solutions help by authenticating the user out of the central authentication database, the applications are not aware of the exact user name as it pertained to the applications' specific authorization database.
Another unsolved issue relates to the requirement of the SSO to maintain a centralized mapping of all the application-specific user names for the same user. This is needed to ensure data consistency across multiple applications. For example, a user's action such as updating a user profile may require that user-specific data be updated in multiple applications simultaneously. Having to maintain this kind of synchronization is very difficult, costly, and does not scale as the number of users increases.
Still another unsolved issue relates to the inability for multiple businesses to partner up and provide business services to the same user. A user can not carry out a business transaction on one web site, and then go to another web site without being re-challenged for credentials. Again, this is because the applications that are running on these sites do not share the same user name structure.
The information that known SSO solutions store in the cookie is used solely for authentication. Therefore, the applications that the user attempted to access are not cognizant of the user's identity for the purpose of authorizing the user. To ascertain the user identity, applications throughout the enterprise network must therefore perform their own mapping of the central authentication identity to the application-specific authorization identity.